-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Rick Tanner wrote: | AnMaster wrote: | | | | Backward compatibility would be supported by plain text login once and | then upgrade | | password in player file to store the "shared secret", then HMAC-SHA256 | would be used in | | future to log in. I feel that it is less of an issue storing an | unencrypted shared secret | | on the server than, as we currently do, sending it in plain text over | network. | | What about password resets in cases where a player returns from a long | hiatus and can't remember their password? | | Under the current system, a person with server/shell access can reset | that players password. Would this new system prevent this? | No. As it is a shared secret, it would actually have to be stored in plain text on the server, (still less of an issue than sending it unencrypted, or if that is considered a very bad issue, I could use a more sophisticated protocol, like that SSH uses).
And yes resetting password on server would be possible both ways. Regards, Arvid Norlander -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEAREKAAYFAkhOxGAACgkQWmK6ng/aMNkfnQCfUaqPsCqIOaSzNStCdSOfH+Eh S5EAoLf77b3C1TyQqO7BYvv7D150cH0K =O4wC -----END PGP SIGNATURE----- _______________________________________________ crossfire mailing list [email protected] http://mailman.metalforge.org/mailman/listinfo/crossfire
